Skip to content

Instantly share code, notes, and snippets.

@evost
Created April 10, 2024 15:37
Show Gist options
  • Save evost/3a69cf8b8f9e0858fb23edb4f9c77842 to your computer and use it in GitHub Desktop.
Save evost/3a69cf8b8f9e0858fb23edb4f9c77842 to your computer and use it in GitHub Desktop.
{
"Potential Shadow File Read via Command Line Utilities": {
"artifacts": [
{
"dataType": "domain",
"data": "host.hostname",
"message": "localhost"
},
{
"dataType": "ip",
"data": "process.entry_leader.entry_meta.source.ip",
"tags": [
"ssh",
"client"
]
}
],
"custom_fields": {
"host": "host.hostname",
"user": "user.name",
"command-line": "process.command_line",
"process": "process.executable",
"pid": "process.pid",
"parent-process": "process.parent.executable",
"ppid": "process.parent.pid",
"pwd": "process.working_directory"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment